Download Signs of Intrusion on a Host Computer

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Document related concepts

Cyber-security regulation wikipedia , lookup

Malware wikipedia , lookup

Wireless security wikipedia , lookup

Security-focused operating system wikipedia , lookup

Network tap wikipedia , lookup

Mobile security wikipedia , lookup

Distributed firewall wikipedia , lookup

Unix security wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Cyberattack wikipedia , lookup

Computer security wikipedia , lookup

Cybercrime wikipedia , lookup

Computer and network surveillance wikipedia , lookup

Cybercrime countermeasures wikipedia , lookup

Transcript
Harshberger
1
Doug Harshberger
Dr. William Oblitey
Computer Science 316
Detecting Signs of Intrusion on a Host Computer
The aspect of host security discussed in this paper is detecting signs of intrusion. This
aspect of security is often overlooked, since most countermeasures in security are preventative
controls (Panko 3). Three important goals of this article are to explain the importance of
detecting intrusions, show a step-by-step guide to follow to make detecting signs of intrusion
easier, and to show what types of software are available to make the detecting process
automated.
First, before understanding what intrusion detection is, one must know what a host
computer is. According to Raymond R. Panko, a host is any device with an IP Address. A wide
arrange of devices have IP addresses, such as “clients, servers, routers, firewalls, and even many
mobile phones” (208). Security professionals’ jobs consist of preventing and dealing with
incidents. Incidents, also known as compromises occur when a threat to a computer system
successfully disrupts a device or corporation (3). When dealing with these compromises,
security professionals must know the three typical means to counter attacks. The underlying goal
of these countermeasures “is to keep business processes on track for meeting their business goals
despite the presence of threats and actual compromises” (Panko 3). The first and widely used
type of countermeasures is known as preventative countermeasures. Preventative
countermeasures are used to inhibit attacks from happening in the first place. The second type is
detective countermeasures. Detective countermeasures recognize when a computer is being
attacked. The last type of countermeasures is known as corrective countermeasures, which
Harshberger
2
remediates any damages caused by an attack on security (Panko, 3). This paper focuses on the
importance and use of detective countermeasures.
A common goal in security is to avoid intrusions on a computer. This should not,
however, be the only security measure a business takes. In Allen and Stoner’s article, Detecting
Signs of Intrusion, they conclude that preventative measures are never fool-proof, meaning there
is always the chance an intrusion could occur at any time (1). In the publication, Guide To
Intrusion Detection and Prevention Systems (IDPS), the authors define intrusion detection as
“the process of monitoring the events occurring in a computer system or network and analyzing
them for signs of possible incidents, which are violations or imminent threats of violation of
computer security policies, acceptable use policies, or standard security practices” (ES-1).
Financially, it is important for businesses to detect intrusions, for if they do not, they could sour
their reputation with clientele, resulting in a loss in business, and therefore a loss in money.
Worse yet, when a business does not detect an intrusion, they could be sued. Intruders often take
over computer systems to launch further attacks on other computer systems. If a computer in
your business is used to attack other businesses, you could be held liable for not maintaining a
secure system. Without detection, you will also not know the extent of how big a compromise
was, and how much damage was done. This will make it harder to know if the intruder was or
was not completely eliminated from the system, increasing the time needed to recover to normal
operation (2).
Some of the recommend steps for intrusion detection include preparing, determining
integrity of software, observing for malicious activities, assessing for unauthorized physical
devices, and following through (Allen and Stoner 4). The preparation phase begins by the
business determining what their policies and procedures are in regard to intrusion detection,
Harshberger
3
defining what data needs to be analyzed, and how that data will be collected. The second phase is
ensuring the integrity of the system by examining software, making sure it is verifiable and
updated. The third phase consists of checking for both network and system abnormal activities,
as well as file and directory integrity. The fourth phase involves the inspection of unauthorized
devices attached to a computer, such as modems, printers, and removable disc drives. This phase
also ensures the integrity of authorized physical media, such as CD-ROMs, discs, and paper. The
last phase has the business analyzing external intrusion detect reports, and after comparing them
with their own reports, taking the appropriate measure to counter an intrusion. This reaction
initiates a transition from the detection to the response countermeasure (Allen and Stoner 12).
Even though detecting signs of intrusion can be difficult for a business, much of the
processes can be automated by using software on the host computer. Many of these detection
techniques are used in IDSs, or Intrusion Detection Systems.
There are three classifications of intrusion detection systems, including host-based IDSs,
networked based IDSs, and hybrid IDSs. Host-based IDSs are used on servers and workstations
and analyze data found on the individual computer systems (Ashoor and Gore 3). Network based
IDSs monitor network traffic from multiple hosts and examines for suspicious activity (Scarfone
and Mell 9). Hybrid IDSs combine devices from both network and host based intrusion detection
systems (Ashoor and Gore 3). This paper focus on host based intrusion detection systems.
The start of host-based intrusion detection and IDSs began in 1980 through the work of
James Anderson, specifically in his paper, Computer Security Threat Monitoring and
Surveillance, where “the concept of “detecting” misuse and specific user events emerged”
(Ashoor and Gore 1). The first model of an IDS, called the Intrusion Detection Expert System,
was developed in 1984 by Dr. Dorothy Denning and SRI International to “analyze audit trails
Harshberger
4
from government mainframe computers and create profiles of users based upon their activities”
(2). Host based intrusion detection systems were the first developed to protect standalone
mainframe computers before networks became the norm (Debar, Dacier and Wespi 812). It’s
only been since the early 1990’s since the marketing of intrusion detection systems (Ashoor and
Gore 2).
There are two main methods of intrusion detection: knowledge based and behavior based.
Knowledge based methods look at previously made attacks and compares those attacks to data
collected by the IDS to locate traces of an attacker. When an attack is recognized, an alarm is
activated. An advantage of knowledge based methods is that they have fewer false alarms, but
have the disadvantage of not recognizing new threats. In comparison, behavior based methods
sense intrusions by identifying a deviation from standard behavior by keeping a model of
standard behavior. An advantage of behavior based methods is that they can recognize new
attacks, but have the disadvantage of increased number of false alarms (Debar, Dacier and Wespi
808-810).
Host-based IDSs scan for a variety of events, including code analysis, network enquiry,
file system monitoring, and log analysis. Businesses need to decide which aspects need to be
monitored, choose which devices need detection software, and what software fits their needs.
Code analysis detects harmful activities by examining attempts to execute code. A variety of
code analysis techniques exist, such as code behavior analysis, buffer overflow detection,
system call monitoring, and application and library lists. Next, there are several techniques in
host- based IDSs that look at networks. Network traffic analysis looks at both wired and wireless
traffic, similar to network IDSs. Another network aspect is monitoring network configuration
changes, which would show that the host is undermined and configured to take over other host-
Harshberger
computer systems. Next, different methods are used to monitor file systems. File integrity
checking determines changes in a file by looking at checksums. File attribute checking tests for
differences in ownership and permissions within files. Files can also be checked by looking at
what users and programs are trying to access them. Some host-based IDSs use log analysis,
which detect intrusive outsider behavior by monitoring log files produced by the operating
system and various software applications (Scarfone and Mell 60-62).
Intrusion detecting is often an overlooked aspect of computer security. Security
professionals often deal with compromises within host computer devices. Because intrusion
detection is a relatively new field, security professionals must have a systemized approach to
detecting signs of a compromise, which includes preparation, determining integrity of software,
observing for malicious activities, assessing for unauthorized physical devices, and following
through when a compromise is noted. Host-based intrusion detection systems give security
professionals a complete software environment where intrusion detection is automated for host
computers. IDSs offer several intrusion detection components, including code analysis, network
enquiry, file system monitoring, and log analysis.
5
Harshberger
6
Bibliography
Allen, Julia and Ed Stoner. Detecting Signs of Intrusion. Pittsburgh: Carnegie Mellon Software
Engineering Institute, 2000.
Ashoor, Asmaa and Sharad Gore. "Importance of Intrusion Detection System (IDS)." International Journal
of Scientific & Engineering Research (Volume 2, Issue 1, January-2011): 1-4.
Debar, Herve, Marc Dacier and Andreas Wespi. "Towards a taxonomy of intrusion-detection systems."
Computer Networks (1999): 805-822.
Panko, Raymond R. Pearson Custom Business Resource Compiled by Indiana University of PA COSC 316
Host Computer Security. Boston: Pearson Learning Solutions, 2010.
Scarfone, Karen and Peter Mell. Guide to Intrusion Detection and Prevention Systems (IDPS). Special
Publication 800-94. Gaithersburg: National Institute of Standards and Technology; Technology
Administration U.S. Department of Commerce, 2012.